MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97b357375a52567547a6b5f537d6cccafcf3217fdad3024ea2d654795539bdbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LgoogLoader

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	97b357375a52567547a6b5f537d6cccafcf3217fdad3024ea2d654795539bdbd
SHA3-384 hash:	f6755a389940d3015950892a26cf2a7a75481e2de986404ff931caf1100c317588acb12ba74d386be62aeda0a3e1d02d
SHA1 hash:	06d4c6cde7311fe0bcbd25bf85b04ec249277780
MD5 hash:	d1a1c0cec984bdafdb412d42f159f816
humanhash:	kansas-fish-berlin-double
File name:	file
Download:	download sample
Signature	LgoogLoader Create hunting rule
File size:	2'052'008 bytes
First seen:	2023-01-05 20:55:27 UTC
Last seen:	2023-01-06 06:35:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	8902091575a082aa9537fc8fe254034a (1 x LgoogLoader, 1 x Adware.Koutodoor)
ssdeep	49152:YzNVaV444444444444444444444444444444444444444444444444444444444H:Yzhok8y9vWn3Z3r9Weg
Threatray	100 similar samples on MalwareBazaar
TLSH	T1A795D0DAA5A75EEAE0BD8F3C94678B772701313DC70986ED73858F91725C286E0FA011
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	8aa4ceee8c9aa600 (1 x LgoogLoader)
Reporter	andretavare5
Tags:	exe LgoogLoader signed

Code Signing Certificate

Organisation:	fontsinuse.com
Issuer:	R3
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-11-29T20:55:27Z
Valid to:	2023-02-27T20:55:26Z
Serial number:	0455659bd87129a05434ddaf8bee453a3c3c
Thumbprint Algorithm:	SHA256
Thumbprint:	0c042237186898cb899f29dbf13dd06a6e49fd8f60be8be5588abf2645a4104a
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from http://www.isurucabs.lk/Ads11.exe

Intelligence

File Origin

# of uploads :

# of downloads :

187

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-01-05 20:56:10 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0ee78c00-e6a5-475f-b5be-ad0bcedd77ac

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/349801/

Detection(s):

SecuriteInfo.com.Unwanted-Program.004d2a1d1.24883.28046.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Launching a process

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Unauthorized injection to a system process

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

greyware overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63b739650fdf1633326d6421/reports/94d821ab-e4ed-4e44-9107-c17e3d8afca9/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7c72ad6e-53eb-42f6-9928-ab3c66e525dd

Result

Threat name:

lgoogLoader

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1145934

Signature

Allocates memory in foreign processes

Detected unpacking (creates a PE file in dynamic memory)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected lgoogLoader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/97b357375a52567547a6b5f537d6cccafcf3217fdad3024ea2d654795539bdbd/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=s6zvon22kjlhkr5gwx2tpvwmzl6pgil73ljqetvc2zkhsvjzxw6q._file

Verdict:

malicious

LgoogLoader

5b0fca6f18ae8fde80d95ae6578dd824271372ca5448ddcb4ffb7f81c8d5607e

LgoogLoader

5e445100682a5982df3301b2631e3be0d503df870175d50cf0faa3e374e742fd

LgoogLoader

a48d0a440c75cc77f43f8639b282d5ff22d5ada4da08f7687f8bb1e64ab730fe

LgoogLoader

cae45a48ed911a6b09c3d948019146afe2f1f0c97c07703e067d954d73281f45

LgoogLoader

d06bf8cf6f3e3c5869453c9e444d66390f2c2ddec8d8ebe6cec0207a368d31f3

LgoogLoader

d08b59352d10ca03662860fd6f74d4d275e51a019335c50b264abe9e71c900af

LgoogLoader

d66e9a4ad9b98c270c0b6ef1ab205ab8b3de44d42c694893570e6a7f4cfd8560

LgoogLoader

e806601047d5a080ababc1274c39cd1916583124166b985ca65b08f0a0e6feea

LgoogLoader

fae4abd3d779a55ebef6b421d14465262e711dbdedf3670909ef89e46ee8d109

LgoogLoader

+ 90 additional samples on MalwareBazaar

Result

Malware family:

lgoogloader

Score:

10/10

Tags:

family:lgoogloader downloader

Link:

https://tria.ge/reports/230105-zq1jvadc64/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Detects LgoogLoader payload

LgoogLoader

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c5be645b-bc70-4597-a0c7-a911911ddc8f

Unpacked files

SH256 hash:

00b857c609654f78965bf31fd7940807fa61fc74377f66943df750182bf2d625

MD5 hash:

91aa963819b2a291c5d731a40a30280c

SHA1 hash:

1ed9e2e2e5818e3342b120e5dd2863cac913ec1b

Link:

https://www.unpac.me/results/97b55766-78ea-439c-a1ad-824d3ef555a4/

SH256 hash:

97b357375a52567547a6b5f537d6cccafcf3217fdad3024ea2d654795539bdbd

MD5 hash:

d1a1c0cec984bdafdb412d42f159f816

SHA1 hash:

06d4c6cde7311fe0bcbd25bf85b04ec249277780

Link:

https://www.unpac.me/results/97b55766-78ea-439c-a1ad-824d3ef555a4/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/97b357375a52/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/97b357375a52567547a6b5f537d6cccafcf3217fdad3024ea2d654795539bdbd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2488375/

Cape

https://www.capesandbox.com/analysis/349801/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample